Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

sirefef virus, computer restarts every 60 seconds


  • This topic is locked This topic is locked
21 replies to this topic

#1 schlud76

schlud76

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 24 July 2012 - 02:48 PM

I recently got the sirefef virus, and at this point it is causing my computer to shut down and restart within 60 seconds of loading, and is in a continuous loop, not allowing me to do anything about it.

I have seen a few threads already about the virus, and wondered if anyone had an idea of how to go about removing it from my machine. Any help would be greatly appreciated!

BC AdBot (Login to Remove)

 


#2 schlud76

schlud76
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 24 July 2012 - 02:55 PM

It's an hp laptop running windows 7 home premium 64 bit. If any more info is necessary please let me know

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:23 PM

Posted 24 July 2012 - 04:25 PM

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.

If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 schlud76

schlud76
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 24 July 2012 - 04:32 PM

Thanks for the reply. I will try to run the scans but I don't believe they will be able to finish before the system restarts itself from the virus.

schlud76

#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:23 PM

Posted 25 July 2012 - 11:58 AM

hi

please do this instead:

download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
[*]now press the search button
[*]when the search is complete, search.txt will also be written to your USB
[*]type exit and reboot the computer normally
[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#6 schlud76

schlud76
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 25 July 2012 - 05:36 PM

hi, here are the logs

Scan result of Farbar Recovery Scan Tool Version: 24-07-2012 01
Ran by SYSTEM at 25-07-2012 17:21:30
Running from H:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2281256 2010-12-24] (Synaptics Incorporated)
HKLM\...\Run: [AmIcoSinglun64] C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe [324096 2010-06-25] (Alcor Micro Corp.)
HKLM\...\Run: [IntelWireless] "C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" /tf Intel Wireless Tray [1928976 2010-03-05] (Intel® Corporation)
HKLM\...\Run: [IntelWirelessWiMAX] "C:\Program Files\Intel\WiMAX\Bin\WiMAXCU.exe" /tasktray /nosplash [1441792 2010-06-08] (Intel® Corporation)
HKLM\...\Run: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe /background [611896 2010-01-20] ()
HKLM\...\Run: [HPWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden [363064 2010-06-18] (Hewlett-Packard Company)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [525312 2011-03-04] (IDT, Inc.)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [161304 2010-07-28] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [386584 2010-07-28] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [415256 2010-07-28] (Intel Corporation)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-04-27] (Intel Corporation)
HKLM-x32\...\Run: [EgisTecPMMUpdate] "C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe" [401192 2009-12-24] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisUpdate] "C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe" -d [201512 2009-12-24] (Egis Technology Inc.)
HKLM-x32\...\Run: [VitaKeyTSR] C:\Program Files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\EgisTSR.exe /run [380272 2010-06-08] (Egis Technology Inc. )
HKLM-x32\...\Run: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [1155928 2010-06-01] (Symantec Corporation)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-03-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [HP Quick Launch] C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [586296 2010-11-09] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices [91520 2010-03-13] (Microsoft Corporation)
HKLM-x32\...\Run: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe" [976320 2009-12-03] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [FUFAXSTM] "C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe" [847872 2009-12-02] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [Internet Explorer Update] "C:\Program Files (x86)\Internet Explorer\iexplore_update.exe" [764275 2011-10-09] (Microsoft Corporation)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM-x32\...\Run: [VMM Mode Selection] C:\Program Files\HTC\ModeSelection\VMMModeSelection.exe [43520 2011-02-14] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s [89456 2011-03-07] (Elaborate Bytes AG)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-27] (Apple Inc.)
HKLM-x32\...\Run: [HTC Sync Loader] "C:\Program Files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" -startup [634880 2012-04-01] ()
HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-05-09] (Hewlett-Packard)
HKLM-x32\...\Run: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe" [201112 2012-05-09] (Lavasoft)
HKU\Default\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [1712184 2010-02-09] ()
HKU\Default User\...\Run: [HPAdvisorDock] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe [1712184 2010-02-09] ()
HKU\Dustin\...\Run: [CTSyncU.exe] "C:\Program Files (x86)\Creative\Sync Manager Unicode\CTSyncU.exe" [868352 2007-07-17] ()
HKU\Dustin\...\Run: [WorkForce 630(Network)] C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIGBA.EXE /FU "C:\Windows\TEMP\E_SCBF8.tmp" /EF "HKCU" [224768 2010-01-11] (SEIKO EPSON CORPORATION)
HKU\Dustin\...\Run: [Registry Cleaner Scheduler] "C:\Program Files (x86)\CleanMyPC\Registry Cleaner\RCHelper.exe" /startup [1401224 2011-10-06] (CleanMyPC Software)
HKU\Dustin\...\Run: [Spotify Web Helper] "C:\Program Files (x86)\Spotify\Data\SpotifyWebHelper.exe" [1192664 2012-07-14] ()
HKU\Dustin\...\Run: [Google Update] "C:\Users\Dustin\AppData\Local\Google\Update\GoogleUpdate.exe" /c [116648 2012-07-20] (Google Inc.)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{3AB84AEC-7877-44F1-9461-90DDE276D043}: [NameServer]0.0.0.0
Lsa: [Notification Packages] EgisPwdFilter
EgisDSPwdFilter

==================== Services (Whitelisted) ======

2 CinemaNow Service; C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [400368 2010-06-12] (CinemaNow, Inc.)
2 DvmMDES; "C:\SwSetup\HPQWMM\QuickWeb\QW.SYS\config\DVMExportService.exe" [338168 2010-06-25] (DeviceVM, Inc.)
2 EgisTec Service; "C:\Program Files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\EgisService.exe" [697712 2010-06-08] (Egis Technology Inc. )
2 KMService; C:\Windows\SysWow64\srvany.exe [8192 2010-11-21] ()
2 Lavasoft Ad-Aware Service; "C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe" [2152152 2011-09-02] (Lavasoft Limited)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2010-03-05] ()
2 NIS; "C:\Program Files (x86)\Norton Internet Security\Engine\18.0.0.128\ccSvcHst.exe" /s "NIS" /m "C:\Program Files (x86)\Norton Internet Security\Engine\18.0.0.128\diMaster.dll" /prefetch:1 [176504 2010-05-26] (Symantec Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
2 NOBU; "C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe" SERVICE [2804568 2010-06-01] (Symantec Corporation)
2 PassThru Service; C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [87040 2012-03-23] ()
2 UNS; "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" [2533400 2010-04-15] (Intel Corporation)

========================== Drivers (Whitelisted) =============

3 clwvd; C:\Windows\System32\Drivers\clwvd.sys [32880 2010-06-24] (Windows ® Win 7 DDK provider)
1 DVMIO; C:\Windows\System32\Drivers\DVMIO.sys [20056 2009-11-11] (DeviceVM, Inc.)
3 htcusbnet; C:\Windows\System32\Drivers\htcusbnet.sys [153600 2010-12-14] (HTC Corporation)
3 Lavasoft Kernexplorer; \??\C:\Program Files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [17152 2011-04-16] ()
0 Lbd; C:\Windows\System32\Drivers\Lbd.sys [69152 2010-09-22] (Lavasoft AB)
3 NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\VirusDefs\20100528.021\ENG64.SYS [117808 2010-05-28] (Symantec Corporation)
3 NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\VirusDefs\20100528.021\EX64.SYS [1773104 2010-05-28] (Symantec Corporation)
1 SRTSP; C:\Windows\system32\drivers\NISx64\1200000.080\SRTSP64.SYS [701800 2010-05-23] (Symantec Corporation)
1 SRTSPX; C:\Windows\system32\drivers\NISx64\1200000.080\SRTSPX64.SYS [38248 2010-05-23] (Symantec Corporation)

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-25 17:21 - 2012-07-25 17:21 - 00000000 ____D C:\FRST
2012-07-25 14:13 - 2012-07-25 14:13 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.AD31457BC9883957
2012-07-24 15:05 - 2012-07-24 15:05 - 00000000 ____D C:\Users\All Users\Recovery
2012-07-24 13:43 - 2012-07-24 13:43 - 00050477 ____A C:\Users\Dustin\Downloads\Defogger (1).exe
2012-07-24 13:42 - 2012-07-24 13:42 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.7378909248902505
2012-07-24 13:42 - 2012-07-24 13:42 - 00050477 ____A C:\Users\Dustin\Desktop\Defogger.exe
2012-07-24 13:37 - 2012-07-24 13:37 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.05386EB27A8DE39B
2012-07-23 18:07 - 2012-07-23 18:07 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.E3E91E94E671BB02
2012-07-23 11:26 - 2012-07-23 11:26 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.67458A88655AA49A
2012-07-23 11:14 - 2012-07-23 11:14 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.4305BCD31F270B7C
2012-07-23 11:13 - 2012-07-25 14:13 - 00000408 ____A C:\Windows\Tasks\Ad-Aware Update (Weekly).job
2012-07-23 11:11 - 2012-07-23 11:11 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.D5DF3E723C92DB8B
2012-07-23 11:01 - 2012-07-23 11:01 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.ABCEB6C0EBEB91E6
2012-07-23 10:57 - 2012-07-23 10:57 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.30C070D85900D0D2
2012-07-20 22:59 - 2012-07-20 22:59 - 00001945 ____A C:\Windows\epplauncher.mif
2012-07-20 22:58 - 2012-07-23 13:51 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-07-20 22:58 - 2012-07-23 13:51 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-07-20 22:57 - 2012-07-20 22:57 - 12621696 ____A (Microsoft Corporation) C:\Users\Dustin\Downloads\mseinstall.exe
2012-07-20 22:45 - 2012-07-23 10:56 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2384114869-1970877100-1680016307-1000UA.job
2012-07-20 22:45 - 2012-07-20 22:56 - 00000860 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2384114869-1970877100-1680016307-1000Core.job
2012-07-20 22:45 - 2012-07-20 22:45 - 00739856 ____A (Google Inc.) C:\Users\Dustin\Downloads\ChromeSetup.exe
2012-07-20 22:36 - 2012-07-20 22:36 - 00000000 ____D C:\Users\Dustin\AppData\Local\Macromedia
2012-07-20 22:19 - 2012-07-20 22:19 - 04587128 ____A (Lavasoft Limited) C:\Users\Dustin\Downloads\Adaware_Installer.exe
2012-07-19 18:38 - 2012-07-20 10:11 - 02931712 ____A C:\Users\Dustin\Downloads\Chapter 6 Textbook Slides.ppt
2012-07-19 18:35 - 2012-07-19 18:35 - 00708608 ____A C:\Users\Dustin\Downloads\Chapter 8 Textbook Slides.ppt
2012-07-19 18:32 - 2012-07-19 18:32 - 01377792 ____A C:\Users\Dustin\Downloads\Chapter 7A Textbook Slides.ppt
2012-07-19 18:31 - 2012-07-20 10:11 - 01190400 ____A C:\Users\Dustin\Downloads\Chapter 7 Textbook Slides.ppt
2012-07-19 18:25 - 2012-07-20 10:11 - 00819712 ____A C:\Users\Dustin\Downloads\Chapter 6A Textbook Slides.ppt
2012-07-18 09:27 - 2012-07-18 09:27 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-07-11 12:11 - 2012-07-11 12:11 - 00000000 ____A C:\Windows\SysWOW64\sho9D3A.tmp
2012-07-11 12:10 - 2012-06-11 19:08 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-11 11:40 - 2012-07-11 11:40 - 00175286 ____A C:\Users\Dustin\Downloads\All Payment Methods071112.csv
2012-07-11 07:45 - 2012-07-11 07:45 - 00264880 ____A C:\Windows\msxml4-KB2721691-enu.LOG
2012-07-10 10:08 - 2012-06-08 21:43 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-10 10:08 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-07-10 10:08 - 2012-06-05 22:06 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-10 10:08 - 2012-06-05 22:06 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-10 10:08 - 2012-06-05 22:02 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-07-10 10:08 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-07-10 10:08 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-07-10 10:08 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-07-10 10:08 - 2012-06-01 21:50 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-07-10 10:08 - 2012-06-01 21:48 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-07-10 10:08 - 2012-06-01 21:48 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-10 10:08 - 2012-06-01 21:45 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-10 10:08 - 2012-06-01 21:44 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-10 10:08 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-07-10 10:08 - 2012-06-01 20:40 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-07-10 10:08 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-07-10 10:08 - 2012-06-01 20:34 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-07-10 10:08 - 2010-06-25 19:55 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
2012-07-10 10:08 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2012-07-09 09:24 - 2012-07-09 09:24 - 01172480 ____A C:\Users\Dustin\Downloads\Chapter 1 Textbook Slides (1).ppt
2012-07-06 10:46 - 2012-07-06 10:46 - 01172480 ____A C:\Users\Dustin\Downloads\Chapter 1 Textbook Slides.ppt
2012-06-25 13:04 - 2012-06-25 13:04 - 01394248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml4.dll

============ 3 Months Modified Files ========================

2012-07-25 14:17 - 2010-10-04 05:54 - 00000050 ____A C:\Windows\System32\SupplicantTest.log
2012-07-25 14:16 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-25 14:16 - 2009-07-13 20:51 - 00061080 ____A C:\Windows\setupact.log
2012-07-25 14:15 - 2010-11-23 20:04 - 00022316 ____A C:\aaw7boot.log
2012-07-25 14:13 - 2012-07-25 14:13 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.AD31457BC9883957
2012-07-25 14:13 - 2012-07-23 11:13 - 00000408 ____A C:\Windows\Tasks\Ad-Aware Update (Weekly).job
2012-07-25 14:13 - 2011-11-20 23:43 - 00000346 ____A C:\Windows\Tasks\RegistryBooster.job
2012-07-25 14:09 - 2011-04-29 13:51 - 00000064 ____A C:\Windows\SysWOW64\rp_stats.dat
2012-07-25 14:09 - 2011-04-29 13:51 - 00000044 ____A C:\Windows\SysWOW64\rp_rules.dat
2012-07-24 13:46 - 2010-10-04 05:51 - 00049830 ____A C:\Windows\PFRO.log
2012-07-24 13:43 - 2012-07-24 13:43 - 00050477 ____A C:\Users\Dustin\Downloads\Defogger (1).exe
2012-07-24 13:42 - 2012-07-24 13:42 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.7378909248902505
2012-07-24 13:42 - 2012-07-24 13:42 - 00050477 ____A C:\Users\Dustin\Desktop\Defogger.exe
2012-07-24 13:37 - 2012-07-24 13:37 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.05386EB27A8DE39B
2012-07-23 18:07 - 2012-07-23 18:07 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.E3E91E94E671BB02
2012-07-23 11:26 - 2012-07-23 11:26 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.67458A88655AA49A
2012-07-23 11:25 - 2012-01-19 13:46 - 00000258 _RASH C:\Users\All Users\ntuser.pol
2012-07-23 11:14 - 2012-07-23 11:14 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.4305BCD31F270B7C
2012-07-23 11:11 - 2012-07-23 11:11 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.D5DF3E723C92DB8B
2012-07-23 11:01 - 2012-07-23 11:01 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.ABCEB6C0EBEB91E6
2012-07-23 10:57 - 2012-07-23 10:57 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\services.exe.30C070D85900D0D2
2012-07-23 10:56 - 2012-07-20 22:45 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2384114869-1970877100-1680016307-1000UA.job
2012-07-23 10:54 - 2010-10-04 05:43 - 01290019 ____A C:\Windows\WindowsUpdate.log
2012-07-20 22:59 - 2012-07-20 22:59 - 00001945 ____A C:\Windows\epplauncher.mif
2012-07-20 22:58 - 2010-11-19 17:08 - 00797742 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-07-20 22:57 - 2012-07-20 22:57 - 12621696 ____A (Microsoft Corporation) C:\Users\Dustin\Downloads\mseinstall.exe
2012-07-20 22:56 - 2012-07-20 22:45 - 00000860 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2384114869-1970877100-1680016307-1000Core.job
2012-07-20 22:45 - 2012-07-20 22:45 - 00739856 ____A (Google Inc.) C:\Users\Dustin\Downloads\ChromeSetup.exe
2012-07-20 22:40 - 2009-07-13 21:13 - 00780156 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-20 22:40 - 2009-07-13 20:45 - 00023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-20 22:40 - 2009-07-13 20:45 - 00023248 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-20 22:36 - 2010-11-18 15:47 - 00000192 ____A C:\Users\Dustin\AppData\Local\mv_Photo.xml
2012-07-20 22:36 - 2010-11-18 15:47 - 00000119 ____A C:\Users\Dustin\AppData\Local\mv_music.xml
2012-07-20 22:34 - 2012-04-03 05:12 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-07-20 22:34 - 2011-05-18 05:36 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-07-20 22:32 - 2011-11-20 15:50 - 00000336 ____A C:\Windows\Tasks\HPCeeScheduleForDustin.job
2012-07-20 22:19 - 2012-07-20 22:19 - 04587128 ____A (Lavasoft Limited) C:\Users\Dustin\Downloads\Adaware_Installer.exe
2012-07-20 10:11 - 2012-07-19 18:38 - 02931712 ____A C:\Users\Dustin\Downloads\Chapter 6 Textbook Slides.ppt
2012-07-20 10:11 - 2012-07-19 18:31 - 01190400 ____A C:\Users\Dustin\Downloads\Chapter 7 Textbook Slides.ppt
2012-07-20 10:11 - 2012-07-19 18:25 - 00819712 ____A C:\Users\Dustin\Downloads\Chapter 6A Textbook Slides.ppt
2012-07-19 18:35 - 2012-07-19 18:35 - 00708608 ____A C:\Users\Dustin\Downloads\Chapter 8 Textbook Slides.ppt
2012-07-19 18:32 - 2012-07-19 18:32 - 01377792 ____A C:\Users\Dustin\Downloads\Chapter 7A Textbook Slides.ppt
2012-07-14 07:40 - 2011-10-29 12:14 - 00000000 ____A C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt
2012-07-14 07:40 - 2010-11-19 14:42 - 00000052 ____A C:\Windows\SysWOW64\DOErrors.log
2012-07-11 19:24 - 2009-07-13 20:45 - 00431976 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-11 12:11 - 2012-07-11 12:11 - 00000000 ____A C:\Windows\SysWOW64\sho9D3A.tmp
2012-07-11 11:40 - 2012-07-11 11:40 - 00175286 ____A C:\Users\Dustin\Downloads\All Payment Methods071112.csv
2012-07-11 07:45 - 2012-07-11 07:45 - 00264880 ____A C:\Windows\msxml4-KB2721691-enu.LOG
2012-07-11 07:37 - 2010-11-19 17:12 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-07-09 09:24 - 2012-07-09 09:24 - 01172480 ____A C:\Users\Dustin\Downloads\Chapter 1 Textbook Slides (1).ppt
2012-07-06 10:46 - 2012-07-06 10:46 - 01172480 ____A C:\Users\Dustin\Downloads\Chapter 1 Textbook Slides.ppt
2012-06-25 13:04 - 2012-06-25 13:04 - 01394248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml4.dll
2012-06-11 19:08 - 2012-07-11 12:10 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 21:43 - 2012-07-10 10:08 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 20:41 - 2012-07-10 10:08 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-05 22:06 - 2012-07-10 10:08 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 22:06 - 2012-07-10 10:08 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 22:02 - 2012-07-10 10:08 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-05 21:05 - 2012-07-10 10:08 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 21:05 - 2012-07-10 10:08 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 21:03 - 2012-07-10 10:08 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-06-02 14:19 - 2012-06-24 12:35 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-24 12:35 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-24 12:35 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-24 12:35 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-24 12:35 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-24 12:35 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-24 12:35 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 12:19 - 2012-06-24 12:35 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 12:15 - 2012-06-24 12:35 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-01 21:50 - 2012-07-10 10:08 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 21:48 - 2012-07-10 10:08 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 21:48 - 2012-07-10 10:08 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 21:45 - 2012-07-10 10:08 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 21:44 - 2012-07-10 10:08 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 20:40 - 2012-07-10 10:08 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 20:40 - 2012-07-10 10:08 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 20:39 - 2012-07-10 10:08 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-06-01 20:34 - 2012-07-10 10:08 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-05-31 09:25 - 2010-11-18 19:30 - 00279656 ____A (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2012-05-14 20:01 - 2012-06-13 18:46 - 01188864 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-14 19:59 - 2012-06-13 18:46 - 00064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-14 19:03 - 2012-06-13 18:46 - 00981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-05-14 19:00 - 2012-06-13 18:46 - 00048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-05-10 21:52 - 2012-05-10 21:52 - 00000000 ____A C:\Windows\SysWOW64\shoDA8.tmp
2012-05-06 17:41 - 2010-11-18 20:29 - 00000947 ____A C:\Users\Public\Desktop\µTorrent.lnk
2012-05-04 10:00 - 2012-04-30 23:00 - 08744608 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-05-04 03:06 - 2012-06-13 18:45 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-05-04 02:03 - 2012-06-13 18:45 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-05-04 02:03 - 2012-06-13 18:45 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-04-30 22:11 - 2012-04-30 22:11 - 00000000 ____A C:\Windows\SysWOW64\sho97A8.tmp
2012-04-30 21:40 - 2012-06-13 18:45 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-27 19:55 - 2012-06-13 18:44 - 00210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys


ZeroAccess:
C:\Windows\Installer\{e0215c18-a927-c2f2-1bf5-1aecd28370f1}
C:\Windows\Installer\{e0215c18-a927-c2f2-1bf5-1aecd28370f1}\@
C:\Windows\Installer\{e0215c18-a927-c2f2-1bf5-1aecd28370f1}\L
C:\Windows\Installer\{e0215c18-a927-c2f2-1bf5-1aecd28370f1}\n
C:\Windows\Installer\{e0215c18-a927-c2f2-1bf5-1aecd28370f1}\U
C:\Windows\Installer\{e0215c18-a927-c2f2-1bf5-1aecd28370f1}\L\00000004.@
C:\Windows\Installer\{e0215c18-a927-c2f2-1bf5-1aecd28370f1}\L\1afb2d56
C:\Windows\Installer\{e0215c18-a927-c2f2-1bf5-1aecd28370f1}\L\201d3dde
C:\Windows\Installer\{e0215c18-a927-c2f2-1bf5-1aecd28370f1}\U\00000008.@

ZeroAccess:
C:\Users\Dustin\AppData\Local\{e0215c18-a927-c2f2-1bf5-1aecd28370f1}
C:\Users\Dustin\AppData\Local\{e0215c18-a927-c2f2-1bf5-1aecd28370f1}\@
C:\Users\Dustin\AppData\Local\{e0215c18-a927-c2f2-1bf5-1aecd28370f1}\L
C:\Users\Dustin\AppData\Local\{e0215c18-a927-c2f2-1bf5-1aecd28370f1}\U
C:\Users\Dustin\AppData\Local\{e0215c18-a927-c2f2-1bf5-1aecd28370f1}\U\00000008.@

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 19%
Total physical RAM: 3893.86 MB
Available physical RAM: 3143.38 MB
Total Pagefile: 3892.01 MB
Available Pagefile: 3139.39 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:441.83 GB) (Free:100.85 GB) NTFS ==>[System with boot components (obtained from reading drive)]
2 Drive e: (RECOVERY) (Fixed) (Total:23.64 GB) (Free:3.45 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive f: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.09 GB) FAT32
5 Drive h: (USB20FD) (Removable) (Total:14.92 GB) (Free:14.92 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: (SYSTEM) (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 14 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 199 MB 1024 KB
Partition 2 Primary 441 GB 200 MB
Partition 3 Primary 23 GB 442 GB
Partition 4 Primary 103 MB 465 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM NTFS Partition 199 MB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 441 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E RECOVERY NTFS Partition 23 GB Healthy

==================================================================================

Disk: 0
Partition 4
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F HP_TOOLS FAT32 Partition 103 MB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 14 GB 5272 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 H USB20FD FAT32 Removable 14 GB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-17 21:05

======================= End Of Log ==========================




Farbar Recovery Scan Tool Version: 24-07-2012 01
Ran by SYSTEM at 2012-07-25 17:23:32
Running from H:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

====== End Of Search ======



thanks

#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:23 PM

Posted 25 July 2012 - 05:43 PM

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
C:\Windows\Installer\{e0215c18-a927-c2f2-1bf5-1aecd28370f1}
C:\Users\Dustin\AppData\Local\{e0215c18-a927-c2f2-1bf5-1aecd28370f1}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.


NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 schlud76

schlud76
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 25 July 2012 - 06:59 PM

Hi, thank you for the fast responses. I have posted the fixlog.txt and combofix.txt reports respectively.

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 24-07-2012 01
Ran by SYSTEM at 2012-07-25 18:04:10 Run:1
Running from H:\

==============================================

C:\Windows\Installer\{e0215c18-a927-c2f2-1bf5-1aecd28370f1} moved successfully.
C:\Users\Dustin\AppData\Local\{e0215c18-a927-c2f2-1bf5-1aecd28370f1} moved successfully.
C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====




ComboFix 12-07-26.04 - Dustin 07/25/2012 18:18:56.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3894.2148 [GMT -5:00]
Running from: c:\users\Dustin\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Norton Internet Security *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Norton Internet Security *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Norton Internet Security *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-06-25 to 2012-07-25 )))))))))))))))))))))))))))))))
.
.
2012-07-26 01:21 . 2012-07-26 01:21 -------- d-----w- C:\FRST
2012-07-25 23:36 . 2012-07-25 23:36 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{AC94E996-D39E-489E-8664-49CA3D889FC6}\offreg.dll
2012-07-25 23:00 . 2012-07-25 23:00 328704 ----a-w- c:\windows\system32\services.exe.0BE81A717C950837
2012-07-25 22:35 . 2012-07-25 22:35 328704 ----a-w- c:\windows\system32\services.exe.CE4E42D42BE73505
2012-07-25 22:13 . 2012-07-25 22:13 328704 ----a-w- c:\windows\system32\services.exe.AD31457BC9883957
2012-07-24 23:05 . 2012-07-24 23:05 -------- d-----w- c:\programdata\Recovery
2012-07-24 21:42 . 2012-07-24 21:42 328704 ----a-w- c:\windows\system32\services.exe.7378909248902505
2012-07-24 21:37 . 2012-07-24 21:37 328704 ----a-w- c:\windows\system32\services.exe.05386EB27A8DE39B
2012-07-24 02:07 . 2012-07-24 02:07 328704 ----a-w- c:\windows\system32\services.exe.E3E91E94E671BB02
2012-07-23 19:26 . 2012-07-23 19:26 328704 ----a-w- c:\windows\system32\services.exe.67458A88655AA49A
2012-07-23 19:14 . 2012-07-23 19:14 328704 ----a-w- c:\windows\system32\services.exe.4305BCD31F270B7C
2012-07-23 19:11 . 2012-07-23 19:11 328704 ----a-w- c:\windows\system32\services.exe.D5DF3E723C92DB8B
2012-07-23 19:01 . 2012-07-23 19:01 328704 ----a-w- c:\windows\system32\services.exe.ABCEB6C0EBEB91E6
2012-07-23 18:57 . 2012-07-23 18:57 328704 ----a-w- c:\windows\system32\services.exe.30C070D85900D0D2
2012-07-23 18:56 . 2012-02-09 19:17 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{79A3FA7F-52FF-4204-856A-B288C1840B7E}\gapaengine.dll
2012-07-23 18:55 . 2012-07-16 07:40 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{AC94E996-D39E-489E-8664-49CA3D889FC6}\mpengine.dll
2012-07-21 06:58 . 2012-07-23 21:51 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-07-21 06:58 . 2012-07-23 21:51 -------- d-----w- c:\program files\Microsoft Security Client
2012-07-21 06:36 . 2012-07-21 06:36 -------- d-----w- c:\users\Dustin\AppData\Local\Macromedia
2012-07-18 17:27 . 2012-07-18 17:27 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-07-17 10:03 . 2012-06-29 10:04 9133488 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{28629CA8-5A71-430D-A907-7D8C7B6ED762}\mpengine.dll
2012-07-11 20:10 . 2012-06-12 03:08 3148800 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-21 06:34 . 2012-04-03 13:12 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-21 06:34 . 2011-05-18 13:36 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-11 20:11 . 2012-07-11 20:11 0 ----a-w- c:\windows\SysWow64\sho9D3A.tmp
2012-07-11 15:37 . 2010-11-20 01:12 59701280 ----a-w- c:\windows\system32\MRT.exe
2012-06-25 21:04 . 2012-06-25 21:04 1394248 ----a-w- c:\windows\SysWow64\msxml4.dll
2012-06-06 05:05 . 2012-07-10 18:08 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-06-06 05:05 . 2012-07-10 18:08 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-06-06 05:03 . 2012-07-10 18:08 805376 ----a-w- c:\windows\SysWow64\cdosys.dll
2012-06-02 22:19 . 2012-06-24 20:35 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-24 20:35 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-24 20:35 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-24 20:35 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-24 20:35 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-24 20:35 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-24 20:35 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 20:19 . 2012-06-24 20:35 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 20:15 . 2012-06-24 20:35 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 04:40 . 2012-07-10 18:08 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2012-06-02 04:40 . 2012-07-10 18:08 225280 ----a-w- c:\windows\SysWow64\schannel.dll
2012-06-02 04:39 . 2012-07-10 18:08 219136 ----a-w- c:\windows\SysWow64\ncrypt.dll
2012-06-02 04:34 . 2012-07-10 18:08 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
2012-06-01 12:44 . 2012-06-01 12:44 163048 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10141.bin
2012-05-31 17:25 . 2010-11-19 03:30 279656 ----a-w- c:\windows\system32\MpSigStub.exe
2012-05-15 04:01 . 2012-06-14 02:46 1188864 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 03:59 . 2012-06-14 02:46 64512 ----a-w- c:\windows\system32\jsproxy.dll
2012-05-15 03:03 . 2012-06-14 02:46 981504 ----a-w- c:\windows\SysWow64\wininet.dll
2012-05-11 05:52 . 2012-05-11 05:52 0 ----a-w- c:\windows\SysWow64\shoDA8.tmp
2012-05-04 18:00 . 2012-05-01 07:00 8744608 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-05-04 11:06 . 2012-06-14 02:45 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 10:03 . 2012-06-14 02:45 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-05-04 10:03 . 2012-06-14 02:45 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-05-01 06:11 . 2012-05-01 06:11 0 ----a-w- c:\windows\SysWow64\sho97A8.tmp
2012-05-01 05:40 . 2012-06-14 02:45 209920 ----a-w- c:\windows\system32\profsvc.dll
2012-04-28 03:55 . 2012-06-14 02:44 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
2012-04-11 20:08 87440 ----a-w- c:\program files (x86)\adawaretb\adawareDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files (x86)\adawaretb\adawareDx.dll" [2012-04-11 87440]
.
[HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1475584]
"CTSyncU.exe"="c:\program files (x86)\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]
"Registry Cleaner Scheduler"="c:\program files (x86)\CleanMyPC\Registry Cleaner\RCHelper.exe" [2011-10-06 1401224]
"Spotify Web Helper"="c:\program files (x86)\Spotify\Data\SpotifyWebHelper.exe" [2012-07-15 1192664]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-04-27 284696]
"EgisTecPMMUpdate"="c:\program files (x86)\EgisTec IPS\PmmUpdate.exe" [2009-12-25 401192]
"EgisUpdate"="c:\program files (x86)\EgisTec IPS\EgisUpdate.exe" [2009-12-25 201512]
"VitaKeyTSR"="c:\program files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\EgisTSR.exe" [2010-06-09 380272]
"Norton Online Backup"="c:\program files (x86)\Symantec\Norton Online Backup\NOBuClient.exe" [2010-06-01 1155928]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-11-09 586296]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"EEventManager"="c:\program files (x86)\Epson Software\Event Manager\EEventManager.exe" [2009-12-03 976320]
"FUFAXSTM"="c:\program files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe" [2009-12-03 847872]
"Internet Explorer Update"="c:\program files (x86)\Internet Explorer\iexplore_update.exe" [2011-10-09 764275]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"VMM Mode Selection"="c:\program files\HTC\ModeSelection\VMMModeSelection.exe" [2011-02-14 43520]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"VirtualCloneDrive"="c:\program files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2011-03-07 89456]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"HTC Sync Loader"="c:\program files (x86)\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2012-04-01 634880]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"Ad-Aware Browsing Protection"="c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe" [2012-05-09 201112]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 KMService;KMService;c:\windows\system32\srvany.exe [x]
R3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS [2010-06-26 40448]
R3 HTCAND64;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-11-02 33736]
R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [2010-06-25 36928]
R3 htcusbnet;HTC USB-NDIS miniport;c:\windows\system32\DRIVERS\htcusbnet.sys [2010-12-15 153600]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [2010-03-05 340240]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [2010-03-18 7680512]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-06-10 5434368]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-08-25 349800]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS [2009-06-10 292864]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS [2009-06-10 1485312]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS [2009-06-10 740864]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-11-20 1255736]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-06-10 389120]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-09-23 69152]
S1 DVMIO;DeviceVM IO Service;c:\windows\system32\DRIVERS\dvmio.sys [2009-11-11 20056]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe [2011-03-05 89600]
S2 CinemaNow Service;CinemaNow Service;c:\program files (x86)\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe [2010-06-13 400368]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 DMAgent;Intel® PROSet/Wireless WiMAX Red Bend Device Management Service;c:\program files\Intel\WiMAX\Bin\DMAgent.exe [2010-06-07 408576]
S2 DvmMDES;DeviceVM Meta Data Export Service;c:\swsetup\HPQWMM\QuickWeb\QW.SYS\config\DVMExportService.exe [2010-06-25 338168]
S2 EgisTec Service;EgisTec Service;c:\program files (x86)\Hewlett-Packard\HP SimplePass Identity Protection\EgisService.exe [2010-06-09 697712]
S2 EgisTec Ticket Service;EgisTec Ticket Service;c:\program files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe [2010-06-09 646000]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2011-09-09 86072]
S2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2010-06-18 103992]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2011-05-21 103992]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2009-07-08 30520]
S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-11-09 26680]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-04-27 13336]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2011-09-02 2152152]
S2 NIS;Norton Internet Security;c:\program files (x86)\Norton Internet Security\Engine\18.0.0.128\ccSvcHst.exe [2010-05-23 126904]
S2 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
S2 PassThru Service;Internet Pass-Through Service;c:\program files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [2012-03-23 87040]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-04-15 2533400]
S2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2010-02-23 2192176]
S2 WiMAXAppSrv;Intel® PROSet/Wireless WiMAX Service;c:\program files\Intel\WiMAX\Bin\AppSrv.exe [2010-06-07 911872]
S3 bpenum;bpenum;c:\windows\system32\DRIVERS\bpenum.sys [2010-05-17 71168]
S3 bpmp;Intel® Centrino® WiMAX 6050 Series;c:\windows\system32\DRIVERS\bpmp.sys [2010-05-17 175104]
S3 bpusb;bpusb;c:\windows\system32\Drivers\bpusb.sys [2010-05-17 81920]
S3 clwvd;HP Webcam Splitter;c:\windows\system32\DRIVERS\clwvd.sys [2010-06-25 32880]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 158976]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2011-01-22 287232]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [2011-04-16 17152]
S3 NETwNs64;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETwNs64.sys [2011-04-18 8507392]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
S3 wdkmd;Intel WiDi KMD;c:\windows\system32\DRIVERS\WDKMD.sys [2010-04-16 39832]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - LAVASOFT_KERNEXPLORER
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2384114869-1970877100-1680016307-1000Core.job
- c:\users\Dustin\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-21 06:45]
.
2012-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2384114869-1970877100-1680016307-1000UA.job
- c:\users\Dustin\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-21 06:45]
.
2012-07-21 c:\windows\Tasks\HPCeeScheduleForDustin.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14 04:15]
.
2012-07-25 c:\windows\Tasks\RegistryBooster.job
- c:\program files (x86)\Uniblue\RegistryBooster\rbmonitor.exe [2011-11-21 08:26]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AmIcoSinglun64"="c:\program files (x86)\AmIcoSingLun\AmIcoSinglun64.exe" [2010-06-26 324096]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2010-03-05 1928976]
"IntelWirelessWiMAX"="c:\program files\Intel\WiMAX\Bin\WiMAXCU.exe" [2010-06-08 1441792]
"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2010-01-20 611896]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2010-06-18 8192]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-03-05 525312]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-07-29 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-07-29 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-07-29 415256]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
"combofix"="c:\combofix\CF27148.3XE" [2010-11-20 345088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{3AB84AEC-7877-44F1-9461-90DDE276D043}: NameServer = 0.0.0.0
FF - ProfilePath - c:\users\Dustin\AppData\Roaming\Mozilla\Firefox\Profiles\yrt0yyx4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cbssports.com/collegefootball
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\18.0.0.128\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files (x86)\Norton Internet Security\Engine\18.0.0.128\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\program files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS\A5E82D02\18.0.0.128\InstStub.exe
c:\program files (x86)\Hewlett-Packard\Media\Webcam\YCMMirage.exe
c:\program files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2012-07-25 18:54:12 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-25 23:54
.
Pre-Run: 109,824,778,240 bytes free
Post-Run: 109,774,987,264 bytes free
.
- - End Of File - - B2136E1429CECBFB0D3EA839821F9E20

#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:23 PM

Posted 25 July 2012 - 07:12 PM

please do the following:

Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 schlud76

schlud76
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 26 July 2012 - 08:16 AM

Here are the mbam log and esetscan logs, respectively


7/25/2012 7:17:14 PM
mbam-log-2012-07-25 (19-17-14).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 216342
Time elapsed: 7 minute(s), 37 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Internet Explorer Update (Trojan.StartPage.GNO) -> Data: "C:\Program Files (x86)\Internet Explorer\iexplore_update.exe" -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Program Files (x86)\Internet Explorer\iexplore_update.exe (Trojan.StartPage.GNO) -> Quarantined and deleted successfully.

(end)


-------------------------------------------------------------------------------------------------------------------



C:\FRST\Quarantine\services.exe Win64/Patched.B.Gen trojan
C:\FRST\Quarantine\{e0215c18-a927-c2f2-1bf5-1aecd28370f1}\n Win64/Sirefef.W trojan
C:\FRST\Quarantine\{e0215c18-a927-c2f2-1bf5-1aecd28370f1}\U\00000008.@ Win64/Agent.BA trojan
C:\FRST\Quarantine\{e0215c18-a927-c2f2-1bf5-1aecd28370f1}\{e0215c18-a927-c2f2-1bf5-1aecd28370f1}\U\00000008.@ Win64/Agent.BA trojan
C:\Program Files (x86)\Uniblue\RegistryBooster\Launcher.exe Win32/RegistryBooster application
C:\Program Files (x86)\Uniblue\RegistryBooster\rbmonitor.exe Win32/RegistryBooster application
C:\Program Files (x86)\Uniblue\RegistryBooster\rbnotifier.exe Win32/RegistryBooster application
C:\Program Files (x86)\Uniblue\RegistryBooster\rb_move_serial.exe Win32/RegistryBooster application
C:\Program Files (x86)\Uniblue\RegistryBooster\rb_ubm.exe Win32/RegistryBooster application
C:\Program Files (x86)\Uniblue\RegistryBooster\registrybooster.exe Win32/RegistryBooster application
C:\ProgramData\Rosetta Stone\Content\data\1c\2\1c2136a7c1675c9ff26a4bae649e01faeac67f54 SWF/Exploit.CVE-2007-0071 trojan
C:\Users\All Users\Rosetta Stone\Content\data\1c\2\1c2136a7c1675c9ff26a4bae649e01faeac67f54 SWF/Exploit.CVE-2007-0071 trojan
C:\Users\Dustin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\6685d300-539fbc84 Java/Exploit.CVE-2010-4452.A trojan
C:\Users\Dustin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\15\15db5dcf-79cbd130 multiple threats
C:\Users\Dustin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\193d1082-2922d31e multiple threats
C:\Users\Dustin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\20\7aed90d4-17da5c94 multiple threats
C:\Users\Dustin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32\24cadfe0-3683aadd Java/Agent.DN trojan
C:\Users\Dustin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\34\148903a2-43556bc0 multiple threats
C:\Users\Dustin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\48\7dfe91b0-3374cc98 Java/Exploit.Agent.NBR trojan
C:\Users\Dustin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\7\143b51c7-1d2635dc a variant of Java/TrojanDownloader.OpenStream.NCC trojan
Operating memory Win32/RegistryBooster application

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:23 PM

Posted 26 July 2012 - 08:38 AM

I suggest uninstalling Registry Booster, it's not recommended to have
a recognized security expert writes about them here
http://miekiemoes.blogspot.ca/2008/02/registry-cleaners-and-system-tweaking_13.html


what is the source of the Rosetta Stone content?
C:\ProgramData\Rosetta Stone\Content\data\1c\2\1c2136a7c1675c9ff26a4bae649e01faeac67f54

as ESET is alerting to it.

If it's from a torrent source rather than an installation disk, then I would delete it.

We need to empty the Java cache to remove those other detections:

Clear Java cache

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) If you do not see the icon, look to your left and click 'Switch to Classic View'.
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.


NEXT


Your Java is out of date, so go to Start > Control Panel > Programs and Features > scroll down to the Java installation and Remove it, now download the latest Java version 7 update 5 and install it: http://java.com/en/download/index.jsp


NEXT

Visit ADOBE and download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.


NEXT


Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 schlud76

schlud76
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 26 July 2012 - 08:56 AM

I followed all of your steps and everything seems to be working great, I haven't encountered any problems yet. Is there anything else that I should do? Thanks again for all of your help!

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:23 PM

Posted 26 July 2012 - 09:04 AM

I just want to make certain your windows updates are working as this infection is known to break some services,

please do the following:

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 schlud76

schlud76
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 26 July 2012 - 09:14 AM

Farbar Service Scanner Version: 22-07-2012
Ran by Dustin (administrator) on 26-07-2012 at 09:13:56
Running from "C:\Users\Dustin\Downloads"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============
BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============

sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Auto
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:03:23 PM

Posted 26 July 2012 - 09:29 AM

Please run the following:

Click WinKey + R to open a run box > type notepad into the open run box > OK > this will open Notepad

Click Format and make certain that Word Wrap is NOT checked.

Copy/Paste the text inside of the code box into the open Notepad


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS]
"DisplayName"="@%SystemRoot%\\system32\\qmgr.dll,-1000"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"Description"="@%SystemRoot%\\system32\\qmgr.dll,-1001"
"ObjectName"="LocalSystem"
"ErrorControl"=dword:00000001
"Start"=dword:00000002
"DelayedAutoStart"=dword:00000001
"Type"=dword:00000020
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,45,00,76,00,65,00,\
  6e,00,74,00,53,00,79,00,73,00,74,00,65,00,6d,00,00,00,00,00
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,\
  00,6c,00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
  67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,\
  00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\
  00,00,53,00,65,00,54,00,63,00,62,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,\
  00,67,00,65,00,00,00,53,00,65,00,41,00,73,00,73,00,69,00,67,00,6e,00,50,00,\
  72,00,69,00,6d,00,61,00,72,00,79,00,54,00,6f,00,6b,00,65,00,6e,00,50,00,72,\
  00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6e,00,\
  63,00,72,00,65,00,61,00,73,00,65,00,51,00,75,00,6f,00,74,00,61,00,50,00,72,\
  00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
  00,01,00,00,00,60,ea,00,00,01,00,00,00,c0,d4,01,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Parameters]
"ServiceDll"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,\
  00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  71,00,6d,00,67,00,72,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Performance]
"Library"="bitsperf.dll"
"Open"="PerfMon_Open"
"Collect"="PerfMon_Collect"
"Close"="PerfMon_Close"
"InstallType"=dword:00000001
"PerfIniFile"="bitsctrs.ini"
"Last Counter"=dword:00000fc8
"Last Help"=dword:00000fc9
"First Counter"=dword:00000fb8
"First Help"=dword:00000fb9
"Object List"="4024"
"1008"=hex(<img src='http://www.bleepingcomputer.com/forums/public/style_emoticons/<#EMO_DIR#>/cool.gif' class='bbc_emoticon' alt='B)' />:50,94,22,ad,0d,ad,cc,01
"PerfMMFileName"="Global\\MMF_BITS_s"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Security]
"Security"=hex:01,00,14,80,94,00,00,00,a4,00,00,00,14,00,00,00,34,00,00,00,02,\
  00,20,00,01,00,00,00,02,c0,18,00,00,00,0c,00,01,02,00,00,00,00,00,05,20,00,\
  00,00,20,02,00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,\
  00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\
  20,00,00,00,20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,\
  00,00,00,00,00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,\
  00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
  05,20,00,00,00,20,02,00,00


Now go to File > and click Save As,
From the drop down menu at the top of the box choose Desktop as the location to save this file.
Go down to the File Name box and type in fixme.reg as the file name, then choose All Files as the save as file type.
Then click the save button.

Once you have clicked the save button, close Notepad.

You should now see a file on your desktop that looks like this:

Posted Image

Locate the fixme.reg icon on your desktop and double click it, an information box will pop up asking if you want to merge the information in the file into the registry, click YES.

Once the file has run, the information will have merged with your registry so you can delete fixme.reg from your desktop as you won't be needing it any more.


Now reboot and retry the Windows updates


NEXT


please go to services and see if you can start the sharedaccess Service

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users